I am using splunk 6.3.1. My data is indexed as JSON. Not all fields will have a value. For example, 2 (very simplified events) could look like this:
{
"host":"hostname",
"field2":"pickle",
"field3": "onion"
}
{
"host": "host2",
"field2": "pickachu"
}
I have a dashboard form (simple xml) that allows the user to use text fields to filter their results. Currently I have the default value for each of the text fields set to an asterick . If the user only enters a value for host, and field 2, the token for field3 gets set to *
index=foo host="hostofmine" field2="pic*" field3="*" | stats count by host
Since field 3 is an optional field (it may or may not be in the raw json document), having a default value of * causes my search to return incomplete results. For the simple data above, only 1 event will be returned, but I would like both events to return. I tried just removing the default value, but the search doesn't execute unless I type something into the text field.
How can I make it so that the user does not have to enter a value into all 3 text fields and only the fields where the user does enter a value are part of the search?
↧